Quản trị mạng - Chapter 1: Modern network security threats

Chapter 1 – Modern Network Security Threats CCNA Security Objectives • Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Fundamental Principles of a Secure network Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Evolution of Network Security • In July 2001, the Code Red worm attacked web servers globally, infecting over 350,000 hosts. • The Code Red worm caused a Denial of Service (DoS) to millions of users. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Evolution of Network Security • When the first viruses were unleashed and the first DoS attack occurred, the world began to change for networking professionals. • To meet the needs of users, network professionals learned techniques to secure networks. • Refer to 1.1.1.2 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Evolution of Network Security Year Security Technology 1984 First IDS for ARPAnet (SRI International IDES) Late 1988 DEC Packet Filter Firewall 1989 AT&T Bell Labs Statefull Firewall 1991 DEC SEAL Application Layer Firewal Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com 1994 Check Point Firewall 1995 NetRanger IDS August, 1997 RealSecure IDS 1998 Snort IDS Late 1999 First IPS 2006 Cisco Zone-based Policy Firewal 2010 Cisco Security Intelligence Operations Evolution of Network Security • An IDS provides real-time detection of certain types of attacks while they are in progress • This detection allows network professionals to more quickly mitigate the negative impact of these attacks on network devices and users. • In the late 1990s, the intrusion prevention system or sensor (IPS) began to replace the IDS solution. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • IPS devices enable the detection of malicious activity and have the ability to automatically block the attack in real-time. • In addition to IDS and IPS solutions, firewalls were developed to prevent undesirable traffic from entering prescribed areas within a network, thereby providing perimeter security. Evolution of Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • Internal threats fall into two categories: spoofing and DoS Evolution of Network Security Evolution of LAN Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Evolution of Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • Three components of information: confidentiality, integrity, availability. • Encrypting Data: Encryption provides confidentiality by hiding plaintext data. • Data integrity: data is not changed from source to destination • Availability: Data accessibility, is guaranteed by network hardening mechanisms and backup systems Evolution of Network Security Evulution of Data Protection Technologies Year Security Technology 1993 Cisco GRE Tunnels 1996 Site-to-Site IPSec VPNs 1999 SSH Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com 2000 MPLS VPNs 2001 Remote-access IPSec VPN 2002 Dynamic Multipoint VPN 2005 SSL VPN 2010 Group Encrypted Transport VPN (GET VPN) Drivers for Network Security • The word hackers has a variety of meanings. • For many, it means Internet programmers who try to gain unauthorized access to devices on the Internet. • It is also used to refer to individuals that run programs to prevent or slow network Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com access to a large number of users, or corrupt or wipe out data on servers. • But for some, the term hacker has a positive interpretation as a network professional that uses sophisticated Internet programming skills to ensure that networks are not vulnerable to attack. Good or bad, hacking is a driving force in network security. Drivers for Network Security Refer to 1.1.2.2 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various audio frequencies to manipulate phone systems. • Wardialing programs automatically scanned telephone numbers within a local area, dialing each one in search of computers, bulletin board systems, and fax machines • When a phone number was found, password-cracking programs were used to gain access. • Wardriving, users gain unauthorized access to networks via wireless access points. • A number of other threats have evolved since the 1960s, including network scanning tools such as Nmap and SATAN, as well as remote system administration hacking tools such as Back Orifice. Drivers for Network Security • What is the job of a network security professional ? 1. To stay one step ahead of the hackers by • attending training and workshops, • participating in security organizations, • subscribing to real-time feeds regarding threats, 2. Have access to state-of-the art security tools, protocols, techniques, and technologies. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • and perusing security websites on a daily basis. 3. Always remain aware of malicious activities and have the skills and tools to minimize or eliminate the threats associated with those activities. Drivers for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com This virus resulted in memory overflows in Internet mail servers. Drivers for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Robert Morris created the first Internet worm with 99 lines of code. Drivers for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Drivers for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Drivers for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Network Security Organizations • SysAdmin, Audit, Network, Security (SANS) Institute • Computer Emergency Response Team (CERT) • International Information Systems Security Certification Consortium (pronounce (ISC)2 as "I-S-C-squared") Network security professionals must Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com collaborate with professional colleagues more frequently than most other professions. Network Security Organizations • SANS was established in 1989 as a cooperative research and education organization. • The focus of SANS is information security training and certification. • SANS develops security courses that can be taken to prepare for Global Information Assurance Certification (GIAC) in auditing, management, operations, legal issues, security administration, and software security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Network Security Organizations • CERT is part of the U.S. federally funded Software Engineering Institute (SEI) at Carnegie Mellon University. • CERT is chartered to work with the Internet community in detecting and resolving computer security incidents. • CERT responds to major security incidents and analyzes product vulnerabilities. • CERT focuses on 5 areas: software assurance, secure systems, organizational security, coordinated response, and education and Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com training. Network Security Organizations • (ISC)2 provides vendor-neutral education products and career services in more than 135 countries • The mission of (ISC)2 is to make the cyber world a safe place through elevating information security to the public domain and supporting and developing information security professionals around the world. • Detail: 1.1.3.4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Network Security Organizations • In addition to the websites of the various security organizations, one of the most useful tools for the network security professional is Really Simple Syndication (RSS) feeds. • RSS is a family of XML-based formats used to publish frequently updated information, such as blog entries, news headlines, audio, and video • Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com RSS uses a standardized format. An RSS feed includes complete or summarized text, plus metadata, such as publishing dates and authorships.. • By using RSS, a network security professional can acquire up-to-date information on a daily basis and aggregate real-time threat information for review at any time. Domains of Network Security Domains of Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer: 1.1.4.1 Domains of Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Domains of Network Security The 12 domains of network security provide a convenient separation for the elements of network security. One of the most important domains is security policy. “ A security policy is a formal statement of the rules by which people must abide who are given access to the technology and information assets of an organization “ Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Network Security Policies The policy is used to aid in network design, convey security principles, and facilitate network deployments. The network security policy outlines rules for network access, determines how policies are enforced, and describes the basic architecture of the organization's network security environment. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Network Security Policies A Cisco Self-Defending Network (SDN) uses the network to identify, prevent, and adapt to threats. Unlike point-solution strategies, where products are purchased individually without consideration for which products work best together, a network-based approach is a strategic approach that meets the current challenges and evolves to address new security needs. A Cisco SDN begins with a strong, secure, flexible network platform from which a Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com security solution is built. Network Security Policies Refer to 1.1.5.2 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Network Security Policies Detail: 1.1.5.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Network Security Policies Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com A security policy is a "living document," meaning that the document is never finished and is continuously updated as technology, business, and employee requirements change. Viruses, Worms, and Trojan Horses Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Viruses • A virus is malicious software which attaches to another program to execute a specific unwanted function on a computer. • A worm executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts. • A Trojan Horse is an application written to look like something else. When a Trojan Horse is downloaded and opened, it attacks the end-user computer from within. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • Refer: 1.2.1.1 Viruses • The term virus refers to an infectious organism that requires a host cell to grow and replicate. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Viruses • A virus is a malicious code that is attached to legitimate programs or executable files. • Most viruses require end-user activation and can lay dormant for an extended period and then activate at a specific time or date. • When activated, the virus might check the disk for other executables, so that it can infect all the files it has not yet infected. • Today, most viruses are spread by USB memory sticks, CDs, DVDs, network shares, or email. Email viruses are now the most common type of Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com virus. Worms • Worms are a particularly dangerous type of hostile code. • They replicate themselves by independently exploiting vulnerabilities in networks. • Worms usually slow down networks. • Worms are responsible for some of the most devastating attacks on the Internet. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Worms • Most worm attacks have three major components: – Enabling vulnerability - A worm installs itself using an exploit mechanism (email attachment, executable file, Trojan Horse) on a vulnerable system. – Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets. – Payload - Any malicious code that results in some action. Most often this is used to create a backdoor to the infected host. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • Worms are self-contained programs that attack a system to exploit a known vulnerability. • Refer to 1.2.2.2 Worms • There are five basic phases of attack, regardless of whether a worm or virus is deployed. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Trojan Horses • A Trojan Horse in the world of computing is malware that carries out malicious operations under the guise of a desired function. • A virus or worm could carry a Trojan Horse. • A Trojan Horse contains hidden, malicious code that exploits the privileges of the user Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com that runs it. • The Trojan Horse concept is flexible. • It can cause immediate damage, provide remote access to the system (a back door), or perform actions as instructed remotely, such as "send me the password file once per week.“ Trojan Horses • Trojan Horses are usually classified according to the damage that they cause or Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com the manner in which they breach a system: – Remote-access Trojan Horse (enables unauthorized remote access) – Data sending Trojan Horse (provides the attacker with sensitive data such as passwords) – Destructive Trojan Horse (corrupts or deletes files) – Proxy Trojan Horse (user's computer functions as a proxy server) – FTP Trojan Horse (opens port 21) – Security software disabler Trojan Horse (stops anti-virus programs or firewalls from functioning) – Denial of Service Trojan Horse (slows or halts network activity) Mitigating Viruses, Worms, Trojan Horses • A majority of the software vulnerabilities that are discovered relate to buffer overflows. • A buffer is an allocated area of memory used by processes to store data temporarily. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Viruses, Worms, Trojan Horses Mitigating Viruses and Trojan • The primary means of mitigating virus and Trojan horse attacks is anti-virus software. • Anti-virus products are host-based. • These products are installed on computers and servers to detect and eliminate viruses. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Viruses, Worms, Trojan Horses Mitigating Worms • The containment phase involves limiting the spread of a worm infection to areas of the network that are already affected. • The inoculation phase runs parallel to or subsequent to the containment phase. • The quarantine phase involves tracking down and identifying infected machines within the contained areas and disconnecting, blocking, or Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com removing them. • During the treatment phase, actively infected systems are disinfected of the worm Mitigating Viruses, Worms, Trojan Horses • In the case of the SQL Slammer worm, malicious traffic was detected on UDP port 1434. • This port should normally be blocked by a firewall on the perimeter. • Some organizations could not block UDP port 1434 because it was required to access the SQL Server for legitimate business transactions. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Viruses, Worms, Trojan Horses • Cisco Security Agent (CSA) is a host-based intrusion prevention system that can be integrated with anti-virus software from various vendors. • Another solution for mitigating threats is Cisco Network Admission Control (NAC). • Cisco Security Monitoring, Analysis, and Response System (MARS) provides security monitoring for network security devices and host applications created by Cisco and other providers Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Attack Methodologies Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Type of attacks • There are many different types of network attacks other than viruses, worms, and Trojan Horses: Refer: 1.3.1.1 • Reconnaissance Attacks – Reconnaissance attacks involve the unauthorized discovery and mapping of systems, services, or vulnerabilities. – Reconnaissance is analogous to a thief surveying a neighborhood for vulnerable homes to break into, such as an unoccupied residence or a Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com house with an easy-to-open door or window. • Access Attacks – Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. • Denial of Service Attacks – Denial of service attacks send extremely large numbers of requests over a network or the Internet Reconnaissance Attacks • Reconnaissance is also known as information gathering and, in most cases, precedes an access or DoS attack. • In a reconnaissance attack, the malicious intruder typically begins by conducting a ping sweep of the target network to determine which IP addresses are active. • Reconnaissance attacks use various tools to gain access to a network: – Packet sniffers – Ping sweeps Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com – Port scans – Internet information queries Refer: 1.3.1.2 Reconnaissance Attacks • A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN. • Packet sniffers can only work in the same collision domain as the network being attacked, unless the attacker has access to the intermediary switches. • Numerous freeware and shareware packet sniffers, such as Wireshark, are available and do not require the user to understand anything about the Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com underlying protocols. • Refer: 1.3.1.3 Reconnaissance Attacks • Refer: 1.3.1.4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Reconnaissance Attacks • Keep in mind that reconnaissance attacks are typically the precursor to further attacks with the intention of gaining unauthorized access to a network or disrupting network functionality. • A network security professional can detect when a reconnaissance attack is underway by configured alarms that are triggered when certain parameters are exceeded, such as ICMP requests per second. • A Cisco ISR supports the security technologies that enable these types of alarms to be triggered. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • Host-based intrusion prevention systems and standalone network-based intrusion detection systems can also be used to notify when a reconnaissance attack is occurring. Access Attacks • Hackers use access attacks on networks or systems for three reasons: retrieve data, gain access, and escalate access privileges. • Access attacks often employ password attacks to guess system passwords. • Password attacks can be implemented using several methods, including brute-force attacks, Trojan Horse programs, IP spoofing, and packet sniffers • A brute-force attack is often performed using a program that runs across Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com the network and attempts to log in to a shared resource, such as a server. • Refer: 1.3.2.1 Access Attacks • There are five types of access attacks: • An attacker attempts to guess system passwords. Password attack Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Access Attacks • Refer: 1.3.2.2 • An attacker uses privileges granted to a system in an unauthorized way Trust exploitation Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Access Attacks • A compromised system is used as a jump-off point for attacks against other targets Port redirection Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Access Attacks • An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties. Man-in-the-middle attack Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Access Attacks • A program writes data beyond the allocated buffer memory. • A result of the overflow is that valid data is overwritten or exploited to enable the execution of malicious code. Buffer overflow Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Access Attacks • Access attacks in general can be detected by reviewing logs, bandwidth utilization, and process loads. • Example: ManageEngine EventLog Analyzer or Cisco Secure Access Control Server (CSACS) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Denial of Service Attacks Refer: 1.3.3.1 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • A DoS attack is a network attack that devices can not provide service for user because of overflow buffer or CPU and so on. • There are two major reasons a DoS attack occurs: – A host or application fails to handle an unexpected condition, such as maliciously formatted input data, an unexpected interaction of system components, or simple resource exhaustion. – A network, host, or application is unable to handle an enormous quantity of data, causing the system to crash or become extremely slow. Denial of Service Attacks • Refer: 1.3.3.2 DoS attack Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Denial of Service Attacks • Refer: 1.3.3.2 A Distributed Denial of Service Attack (DDoS) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Denial of Service Attacks • Ping of Death – In a ping of death attack, a hacker sends an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. – Sending a ping of this size can crash the target computer. – A variant of this attack is to crash a system by sending ICMP fragments, which fill the reassembly buffers of the target. • Refer: 1.3.3.3: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Denial of Service Attacks • Smurf Attack – In a smurf attack, a perpetrator sends a large number of ICMP requests to directed broadcast addresses, all with spoofed source addresses on the same network as the respective directed broadcast. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Denial of Service Attacks • TCP SYN Flood – In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often with a forged sender address. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Denial of Service Attacks Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com There are five basic ways that DoS attacks can do harm: 1. Consumption of resources, such as bandwidth, disk space, or processor time 2. Disruption of configuration information, such as routing information 3. Disruption of state information, such as unsolicited resetting of TCP sessions 4. Disruption of physical network components 5. Obstruction of communication between the victim and others. Mitigating Network Attacks The important question is, 'How do I mitigate these network attacks?' Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Network Attacks Mitigating Reconnaissance Attack Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Network Attacks Mitigating Access Attack Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Network Attacks Mitigating DoS Attack Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com 10 best practices represent the best insurance for network: 1. Keep patches up to date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks. 2. Shut down unnecessary services and ports. 3. Use strong passwords and change them often 4. Control physical access to systems. 5. Mitigating Network Attacks Avoid unnecessary web page inputs. 6. Perform backups and test the backed up files on a regular basis. 7. Educate employees about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person. 8. Encrypt and password-protect sensitive data. 9. Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN) devices, anti-virus software, and content filtering. 10. Develop a written security policy for the company. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Network Attacks Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com